feat(core): Adds policy-mode encrypt param

[dmihalcik-virtru]

For support of nanoTDFs with plain-text policy (readable without decrypting)

[gemini-code-assist]

Summary of Changes

Hello @dmihalcik-virtru, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the tdf-encrypt CLI command by adding a new option to control the storage mode of policies within encrypted TDF objects. This provides greater flexibility, particularly for nanoTDFs, allowing users to specify whether policy information should be stored in plaintext or encrypted form, while also ensuring compatibility by restricting its use to nanoTDFs only.

Highlights

• New CLI Parameter: I've introduced a new --policy-mode parameter to the tdf-encrypt CLI command. This parameter allows users to specify how the policy is stored within the encrypted object, with options for plaintext or encrypted.
• Encryption Handler Integration: The EncryptBytes handler function in pkg/handlers/tdf.go has been updated to accept and process this new policyMode parameter. This enables the underlying SDK to apply the chosen policy storage mode during the encryption process.
• nanoTDF Policy Control: For nanoTDF encryption, the policyMode parameter is now used to explicitly set whether the policy should be stored in plaintext or encrypted form within the nanoTDF object. If no mode is specified, encrypted is the default.
• ZTDF Compatibility Check: I've added validation to ensure that the policy-mode parameter is not used when encrypting with ZTDF (Zero Trust Data Format), as this feature is currently only supported for nanoTDF.
• Documentation Update: The CLI documentation for the encrypt command has been updated to include details about the new --policy-mode parameter, its description, and supported values.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a policy-mode parameter for the encrypt command, applicable to nanoTDFs, allowing the policy to be stored in either plaintext or encrypted form. The changes span the CLI command, the handler logic, and the documentation. My review, based on general Go best practices, focuses on ensuring correct error handling and improving code maintainability and documentation clarity.

[c-r33d]

Could you add a bats test to https://github.com/opentdf/otdfctl/blob/main/e2e/encrypt-decrypt.bats

[dmihalcik-virtru]

Blocked on opentdf/tests#330